Red Hat Bugzilla – Bug 168420
mod_ssl - CAN-2005-2700 "SSLVerifyClient require" possibly not enforced
Last modified: 2007-04-18 13:31:31 EDT
Description of problem:
This is a quote from
which is an annoucement dated 2005-09-02:
'A subtle security bug (CAN-2005-2700) was discovered in mod_ssl where
where "SSLVerifyClient require" was not enforced in per-location context
if "SSLVerifyClient optional" was configured in the global virtual
A version 2.8.12-8 showed up in RHEL updates with a fix for this bug.
there are corresponding sources which were used to rebuild fixed mod_ssl
on RH7.3 system.
This also includes fixes for some other possible problesm still present
in 2.8.12-7.legacy (see %changelog spec section for details).
Version-Release number of selected component (if applicable):
This CAN is fixed in #166941 which is in updates-testing (which is tracked under
'httpd' -- this may be confusing, but mod_ssl ceased being a separate package
*** This bug has been marked as a duplicate of 166941 ***